When it comes to Microsoft patch supersedence, a lot of factors come into play which include but are not limited to:

Operating system

Architecture: 32-bit, 64-bit

Service pack: none, SP1, SP2...

Service Release: base, R1, R2

Among other factors, like End-of-Life products. This adds to the complexity of patching when viewing large environments that widely range in Operating System architectures.

* An Important Note to take into consideration when reviewing data relating to supersedence, is that the currentimplementation is primarily designed for OS level patches and notapplication level patches. For that reason, patch reports will only take into consideration on the OS level for which patch to recommend.

Explanation

Walk the chain of "supersedence" relationships from QID A (the "root") until it ends - i.e. we get to a QID Z which is not superseded by anything else.

Backtrack along the chain from Z until we get to a QID F which satisfies both of the following conditions:

F was detected (on the host where A was detected)

F is not filtered/excluded by any Patch filters selected for the Patch Report

* An important note to understand here is the data being analyzed is regarding Vulnerabilities found on hosts, not patches. There will be many circumstances where a patchhas been installed, but vulnerable files are left behind for one reason or another, which means the QID will continue to be flagged. This can lead to confusion when reviewing a Patch Report and seeing a QID that has been confirmed as having its patch installed. As such, using the 'Exclude Superseded Patches' feature is analyzing QIDs that are flagged on hosts, not whether or not patches are installed or missing on those hosts.

For QIDs 90834 and 90973, they have not been detected on the host, so 90716 remains the highest advisable patch.

This is helpful, but an option to exclude superseded QIDs is not available on all reports (in particular Scorecard reports). Is there a way to use a static or dynamic filter to achieve the same results? Or do Qualys periodically publish the list of QIDs that are superseded?

Thank you! I do have a question, can you explain "As such, using 'Exclude Superceded Patches' is working on QIDs on hosts, not either or not patches are or are not already on the hosts." I don't understand that bit. Kind regards!

Is there any news on the announced Supercedence API? We are just struggling with identifying superceding patches. As shown in a video on Patch Reports (Patch Report on Vimeo), it is already possible to identify superceding patches from this patch report. I do not have any clue how to export these in a separate report (csv or xls, however). Can anybody help? Any help is very much appreciated. Kind regards!

There are lots of different opinions available on supersedence, and I need to know what Qualys means when it says it's for something superseded. It's unclear to me what patch supersedence actually means, despite this thorough explanation, as this phrase is unclear, "apatchhas been installed, but vulnerable files are left behind for one reason or another, which means the QID will continue to be flagged". What does that mean, exactly? If vulnerable files remain, doesn't this mean that the vulnerability remains? Or, are these files that indicate a vulnerability state that cannot be exploited? For example, perhaps an icon or font file unique to a known vulnerable package XYZ version 17 that remains on the host, indicating that XYZ v17 is installed, but it's actually not due to patching/upgrades?

What I hope it really means is that 5 vulnerabilities are resolved by patch 192, and this supercedes patches 191, 190, 189 and 188 that all covered the same vulnerability, so that this is fully patched by latest patch 192.... but that doesn't jive with "vulnerable files are left behind".

Some vendors, notably one located near Seattle, is known for "un-patching" previously resolved vulnerabilities in subsequent patches. Does a superseded patch connote a system which remains vulnerable to this issue, because the vulnerable bits are still there, but no longer referenced?